Ha! I actually use TinyPilot all the time, nice!

> I agree that would be nice, but it also doesn't sound all that practical for a small vendor.

Personalizing / customizing per device always introduces a huge amount of complexity (and thus cost). However, this is TP-Link we're talking about, who definitely have the ability to personalize credentials at scale on other product lines.

And again, to be clear, I'm not trying to argue that the current way is some horrible disaster from TP-Link, just advocating for a better solution where possible. I think the current system reads as fine, honestly, it sounds like typical cobbled together hardware vendor junk that probably has some huge amount of "real" vulnerability in it too, but this particular bit of the architecture doesn't offend me badly.

> now you have to unwind your manufacturing and fulfillment pipeline to get back all the devices you've shipped.

This can be avoided with some other type of proof-of-presence side channel which doesn't rely on manufacturing personalization - for example, a physical side-channel like "hold button to enable some PKI-based backup pairing or firmware update mode." For a camera, there should probably be an option to make this go away once provisioning is successful, since you don't want an attacker performing an evil maid attack on the device, but for pre-provisioning, it's a good option.

> Personalizing / customizing per device always introduces a huge amount of complexity (and thus cost)

For a hardware product mass produced like this, they should already have a custom label that has the unique serial number on it which is also programmed into each device, so they should already have the infrastructure to do that (potentially as part of automated board testing/flashing).

Adding a randomly generated password is hardly more work once you have the ability to do that.